Data protection specialists report that the gasoline-buying app operated by the popular 7-Eleven store chain was the target of a supposed cyberattack that led to a sensitive data breach that exposed details such as user names, phone numbers, among others.
Last Thursday, the company opted to disconnect the app for a few hours, after one of the users notified that it was possible to access the personal information of many other users through the app, which has about two million downloads. The app allows you to make fuel payments in advance, with which users try to take advantage and fill their fuel tanks at the lowest possible price.
The user who reported the error, whose identity was not revealed, mentioned that he discovered the leak a few days ago, while trying to login to the app as usual. When he signed in with his own login credentials, he found another user’s account information instead of his. When the user logged out and logged back in, he found the data for a different user again. After checking the veracity of the user’s report, 7-Eleven data protection team announced emergency maintenance.
Hours later, a company spokesperson mentioned that the app was already online again, although he added that he could not comment on the cybersecurity incident, because the investigation is still ongoing. “Some technical issues were detected in the mobile application (7-Eleven Fuel). The issue has already been resolved and the services are available to all users. We will continue to investigate the incident in collaboration with the relevant authorities,” the spokesman concluded.
Because the incident occurred in Australia, data protection experts mention that the company must adhere to data protection laws in Australia. Under Australian law, companies that are victims of data breaches must notify the Information Commissioner’s Office, as well as affected users, when the incident involves information that may be used to the detriment of users.
A few hours later, a representative of the Australian Information Commissioner’s Office confirmed to local media that the company had already begun the process: “We can confirm that we have received a notification about a possible data breach in 7- Eleven.” Up to this point in 2019, this organization has received 1,160 reports on data breaches, including 900 incidents considered high seriousness.
Other cybersecurity incidents have recently occurred in this chain of stores. A few months ago, data protection specialists from the International Institute of Cyber Security (IICS) reported that 7-Eleven Japan suspended its mobile payment service (which had just been implemented) after an unauthorized third party achieved exploit a vulnerability to charge other customers’ accounts fraudulently.